ipa/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch

185 lines
6.9 KiB
Diff
Raw Normal View History

From d7a856097039b37e77a59aad66d6cdedc3eb6aee Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Mon, 30 Mar 2015 04:17:55 -0400
Subject: [PATCH 2/3] Use mod_auth_gssapi instead of mod_auth_kerb.
https://fedorahosted.org/freeipa/ticket/4190
---
freeipa.spec.in | 4 +++-
init/systemd/ipa.conf.tmpfiles | 1 +
install/conf/ipa.conf | 16 +++++-----------
ipalib/session.py | 20 ++++++++++----------
ipaserver/rpcserver.py | 2 +-
5 files changed, 20 insertions(+), 23 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi >= 1.1.0-2
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap >= 2.4.15
Requires: python-krbV
@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -680,6 +681,7 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,2 +1,3 @@
d /var/run/ipa_memcached 0700 apache apache
d /var/run/ipa 0700 root root
+d /var/run/httpd/clientcaches 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 62ee955ecfe0be78a3bd377e5aa35a335681621f..871fab8248fcc1c3793ce71bdcb86720a7e31c61 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -3,7 +3,6 @@
#
# This file may be overwritten on upgrades.
#
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
ProxyRequests Off
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
SetHandler None
</Location>
-KrbConstrainedDelegationLock ipa
-
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
- AuthType Kerberos
+ AuthType GSSAPI
AuthName "Kerberos Login"
- KrbMethodNegotiate on
- KrbMethodK5Passwd off
- KrbServiceName HTTP
- KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
- KrbSaveCredentials on
- KrbConstrainedDelegation on
+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+ GssapiDelegCcacheDir /var/run/httpd/clientcaches
+ GssapiUseS4U2Proxy on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</Location>
diff --git a/ipalib/session.py b/ipalib/session.py
index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644
--- a/ipalib/session.py
+++ b/ipalib/session.py
@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
There are 4 major players:
1. client
- 2. mod_auth_kerb (in Apache process)
+ 2. mod_auth_gssapi (in Apache process)
3. wsgi handler (in IPA wsgi python process)
4. ds (directory server)
@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
2. Client sends post to /ipa/json.
- 3. mod_auth_kerb is configured to protect /ipa/json, replies 401
+ 3. mod_auth_gssapi is configured to protect /ipa/json, replies 401
authenticate negotiate.
4. Client resends with credentials
- 5. mod_auth_kerb validates credentials
+ 5. mod_auth_gssapi validates credentials
a. if invalid replies 403 access denied (stops here)
@@ -550,7 +550,7 @@ A few notes about the session implementation.
Changes to Apache's resource protection
---------------------------------------
- * /ipa/json is no longer protected by mod_auth_kerb. This is
+ * /ipa/json is no longer protected by mod_auth_gssapi. This is
necessary to avoid the negotiate expense in steps 3,4,5
above. Instead the /ipa/json resource will be protected in our wsgi
handler via the session cookie.
@@ -583,15 +583,15 @@ The new sequence is:
5. client sends request to /ipa/login to obtain session credentials
- 6. mod_auth_kerb replies 401 negotiate on /ipa/login
+ 6. mod_auth_gssapi replies 401 negotiate on /ipa/login
7. client sends credentials to /ipa/login
- 8. mod_auth_kerb validates credentials
+ 8. mod_auth_gssapi validates credentials
a. if valid
- - mod_auth_kerb permits access to /ipa/login. wsgi handler is
+ - mod_auth_gssapi permits access to /ipa/login. wsgi handler is
invoked and does the following:
* establishes session for client
@@ -600,7 +600,7 @@ The new sequence is:
a. if invalid
- - mod_auth_kerb sends 403 access denied (processing stops)
+ - mod_auth_gssapi sends 403 access denied (processing stops)
9. client now posts the same data again to /ipa/json including
session cookie. Processing repeats starting at step 2 and since
@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure
calls are marshalled and unmarshalled.
Under the new scheme /ipa/xml will continue to be Kerberos protected
-at all times. Apache's mod_auth_kerb will continue to require the
+at all times. Apache's mod_auth_gssapi will continue to require the
client provides valid Kerberos credentials.
When the WSGI handler routes to /ipa/xml the Kerberos credentials will
be extracted from the KRB5CCNAME environment variable as provided by
-mod_auth_kerb. Everything else remains the same.
+mod_auth_gssapi. Everything else remains the same.
'''
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
def __call__(self, environ, start_response):
self.debug('WSGI login_kerberos.__call__:')
- # Get the ccache created by mod_auth_kerb
+ # Get the ccache created by mod_auth_gssapi
user_ccache_name=environ.get('KRB5CCNAME')
if user_ccache_name is None:
return self.internal_error(environ, start_response,
--
2.3.4